iWarren

255.255.255.255 Custom Address causes EIS v11 to stop working.

Recommended Posts

Using latest version of EIS v11 (new installation today)

I was trying to add custom addresses for svchost.exe for

all the specific ports used for connectivity.

Heres what I have for "Outgoing Connections"

5355 UDP - ALLOW - Custom Address: 224.0.0.252

53 UDP - ALLOW - Custom Address: 224.0.0.252, 192.168.0.1, (My ISP DNS Server Here)

67 UDP - ALLOW - All

This setup is operational, however the trouble came when I tried to be specific with port 67,

i entered in a custom address of 255.255.255.255 because i seen this was an address it used.

Upon entering it in, EIS refused to update the entries or allow svchost rule to be removed.

EIS more or less became despondant. When I rebooted the system it stalled for 30~ seconds,

then the A2service failed to start, and was stuck in a mode of "Starting" and wouldnt stop or start

no matter what I did. I couldn't get into a2start.exe because it kept saying "Eis is waiting on a service to start"

So I deleted the "Custom Address = 255.255.255.255" entry in a2rules.ini for svchost.exe and restarted.

Everything worked fine after that, I tried other addresses like 0.0.0.0 and it worked fine, it seems to be

that one specific rule for 'broadcasting' that it seemed to flake out on.

If someone could verify this. I understand it might not be a bug and more of an invalid settings issue for the

crucial file svchost.exe

Let me know what you think.

Also, while i was in TcpView i noticed LSASS was connected to a TCP local port of 1032, but I noticed that the firewall by default

blocks ports 1024 - 1030. So you might consider extending the range.

I also poked around online and seen someone else had an lsass on port 1033

https://social.technet.microsoft.com/Forums/windowsserver/en-US/d1ed4af9-bdb2-4315-8b37-209397363f58/mmc-ports-for-managing-dhcp?forum=winserverPN

and here they mention 1024 - 1034

https://support.microsoft.com/en-us/kb/908472

Not sure if its related, but they mention here something about blocking RPC ports 1024-5000

Share this post


Link to post
Share on other sites

Lets get some debug logs from Emsisoft Internet Security. In order to do this, you will first need to run a batch file to enable debug logging. This batch file is contained in the ZIP archive at this link (this ZIP archive also contains a batch file to disable debug logging).

Please save that ZIP archive on your desktop, extract its contents, and then follow these instructions:

  • Run the enable_debug_output batch file (if your computer has Windows Vista, Windows 7, or Windows 8 then please right-click on the batch file and select Run as administrator).
  • You will see a black window pop up, and then disappear very quickly. After that happens, please restart your computer.
  • Reproduce the issue you are having.
  • Once you have reproduced the issue, hold down the Windows key on the keyboard (the one with the Windows logo on it, usually in between the Ctrl and Alt keys) and tap the R key to open the Run dialog.
  • Type the following into the Run dialog, and then click OK:

    %ALLUSERSPROFILE%\Emsisoft
  • A window should open and you should see a Logs folder. Right-click on that Logs folder, go to Send to, and select Compressed (zipped) folder.
  • Move the new ZIP archive you created with the logs folder in it to your desktop.
  • Send the ZIP archive containing the logs to me in a Private Message.
Note: If you get an error message when trying to send the Logs folder to a Compressed (zipped) folder then you may need to try a utility such as 7-Zip or WinRar to compress the folder. Both 7-Zip and WinRar have options to create an archive and save it in another location (such as on your desktop), which should prevent the error message. Here are links to the download pages for 7-Zip and WinRar.

After sending me the debug logs, you can run the disable_debug_output batch file (be sure to run it as administrator as well) and restart your computer again to disable debug logging.

Share this post


Link to post
Share on other sites

I was able to reproduce the issue, I tried a different port to see if it was exclusive to 67
but had the same result.  Stops updating rules and stops responding, basically cripples
the a2antimalware service.

to fix it, i have to update a2rules.ini and a2rules.backup.ini
and remove the custom address, and restart before the service will start again, otherwise
the service just hangs and constantly says "Starting"

eventually EIS says it has a serious error.

I made a log and edited out my keys and such.
you're going to be looking for the 11:49
thats the hour and minute i added the 255.255.255.255 entry into the custom address.

i wish now i got the exact second, but you should still be able to find it.
i think i found the update rule a couple times, but i couldn't find anything relevant.

also tried 111.111.111.111 to see if it was a length issue, but it worked fine.
255.255.255.254 worked fine as well.
tried 0.0.0.0 and it had no issue with that either.

 

also note, the logs cover only when the entry was added, as well as a failed attempt to delete an entry.

 

i didn't make a log of booting up with the service failing to start, because I figured it might

be more helpful to see what initially causes it to glitch.

eis5539.zip

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.